[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NIST GAK export meeting, short version



Thanks for the great summary, Pat.

> His concern is not that smart people can have stronger crypto, but that
> strong crypto will be easy and widely used. 

This is why the 4 horsemen arguments aren't very convincing.

We often tend to view things in fairly black and white terms:  either we
have privacy or we don't.  But even with strong crypto, most people won't 
have security because they'll screw it up.  (Anyone who has ever been in 
charge of creating accounts for other people knows what kinds of 
passphrases people will pick.)  And even the most concientous among us 
are still going to be vulnerable to physical attacks on our hardware or 
more exotic attacks like tempest.

The real questions here are (a) how easy will it be to automate
surveillance, and (b) how much is surveillance going to cost, not (c) is
surveillance going to be possible at all?

No matter what happens with the law, determined people will be able to 
protect their privacy fairly well.  And no matter how strong the tools 
are, the government will be very often be able to penetrate the defenses 
by physically tampering with a machine, getting one correspondent to sell 
out another, or whatever.

Without crypto, the price of surveillance is going to drop through the
floor.  It's a lot easier to filter email for suspicious key words than it
is to analyse voice traffic on the telephone.  But with crypto, the price 
of surveillance is going to go way up.  Sticking with the status quo 
isn't an option.

I'd feel a lot better if surveillance became more expensive.  I don't have
much faith in our legal protections against government surveillance. 
Sure, they can't introduce evidence into court if it was obtained with an
illegal wiretap.  But if they learn something interesting, they can trump
up an "anonymous tipster" and get a court order.  Who's watching the
watchdogs to make sure they're following the law?  The exclusionary rule
isn't much comfort if it depends on the police admitting that they
violated my rights.  But how else would I know about an illegal government
wiretap? 

How much surveillance is really taking place?  Who knows.  I do know that
if it becomes 10 or 100 times more expensive than it is now, there will 
probably be a lot less of it.